Ensure at least one representative of all classes of injection sinks is guarded with TT

[mbrodesser-Igalia]

Classes of injection sinks are:

1. IDL attributes, e.g. someScript.src = someSrc.
2. JS functions, e.g. eval(someString).
3. DOM APIs, e.g. someScriptElement.setAttribute("src", someSrc).

This is required in order to ensure all injection sinks can be guarded with TT. Finding out later, that some classes can't be covered would violate the second goal of https://w3c.github.io/trusted-types/dist/spec/#goals: "Encourage a design in which security decisions are encapsulated within a small part of the application."

This allows shipping v1 without guarding all injection sinks. Covering the remaining sinks (#385) could be done in v2.

• Class 1 is covered with the StringContext attribute (https://w3c.github.io/trusted-types/dist/spec/#StringContext).
• Class 2 might be covered with https://w3c.github.io/trusted-types/dist/spec/#csp-eval.
• Class 3 might be covered with Figure out what to do with script.setAttribute('src') #402.

Feedback here is appreciated.

[koto]

This allows shipping v1 without guarding all injection sinks. Covering the remaining sinks (#385) could be done in v2.

I'm not sure I follow. Do you propose to only cover 3 sinks in total in v1 of the spec, or the Gecko implementation, or something else? The sinks listed in the spec and WPT all need to be covered in whatever implementation at the moment of shipping any version of the spec - anything else will result in observable differences in websites that already enforce TT (For example, the default policy would be called in one browser, and not called in the other for some sinks).

I'm not opposed to stopping at some point, and listing some of the rarer, or more obscure sinks as level 2, but I think level 1 should be covering what's in the spec vs 1 exemplary sink from 3 classes, as that doesn't match what the authors would expect from a security feature.

[mbrodesser-Igalia]

This allows shipping v1 without guarding all injection sinks. Covering the remaining sinks (#385) could be done in v2.

I'm not sure I follow. Do you propose to only cover 3 sinks in total in v1 of the spec, or the Gecko implementation, or something else?
Something else, sorry for the imprecise wording.

The sinks listed in the spec and WPT all need to be covered in whatever implementation at the moment of shipping any version of the spec - anything else will result in observable differences in websites that already enforce TT (For example, the default policy would be called in one browser, and not called in the other for some sinks).

Agreed.

I'm not opposed to stopping at some point, and listing some of the rarer, or more obscure sinks as level 2, but I think level 1 should be covering what's in the spec vs 1 exemplary sink from 3 classes, as that doesn't match what the authors would expect from a security feature.

Agreed.

That is, all sinks which the spec currently already covers, should continue to be covered. Others, potentially like the one mentioned at #385 (comment) and in the ones in the comments following it, are candidates for v2.
Ensuring new injection sinks are covered (e.g. by something like #385 (comment)) could also be added in v2.

[lukewarlow]

Does this issue need to remain open? Idk if there's anything actionable from it?

[mbrodesser-Igalia]

Does this issue need to remain open?

No.

Idk if there's anything actionable from it?

No.